Overview

overview

8

Static

static

IconCacheService.dll

windows7_x64

8

IconCacheService.dll

windows10-2004_x64

8

Resubmissions

27-10-2022 16:10

221027-tmnszscfh6 10

13-04-2022 09:32

220413-lhmfcsahbk 8

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220331-en
  • submitted
    13-04-2022 09:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IconCacheService.dll

  • Size

    248KB

  • MD5

    e031c9984f65a9060ec1e70fbb84746b

  • SHA1

    b01950ed9b1929fee04a9c23ac49e3de89e37228

  • SHA256

    95bbd494cecc25a422fa35912ec2365f3200d5a18ea4bfad5566432eb0834f9f

  • SHA512

    5dd1f004516b9fc0f0c36bca22dafaed9103191ebeea291e8d6f32f9b01b77fb18a0c4c5d04bd760a38651380a3680ede8b07f3d522f710b3df228ac8d934a2b

Score
8/10
persistence

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\IconCacheService.dll,#1
    1⤵
    • Blocklisted process makes network request
    • Adds Run key to start application
    PID:2176
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4936
    • C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe
      "PowerShell.exe" -noexit -command Set-Location -literalPath 'C:\Users\Admin\Desktop'
      1⤵
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe"
        2⤵
          PID:4664
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" .\IconCacheService.dll IconCacheDBService
          2⤵
          • Blocklisted process makes network request
          PID:5068
        • C:\Windows\system32\rundll32.exe
          "C:\Windows\system32\rundll32.exe" .\IconCacheService.dll,IconCacheDBService
          2⤵
          • Blocklisted process makes network request
          PID:444
      • C:\Windows\system32\taskmgr.exe
        "C:\Windows\system32\taskmgr.exe" /4
        1⤵
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1392

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50CD3D75D026C82E2E718570BD6F44D0_11AE042D5C35868B5237021024D2A4C4
        Filesize

        313B

        MD5

        2ff1b7fd28a41161b27c2125cd4089ee

        SHA1

        e1106a378e85bca2fe674406681e90fd7fb27725

        SHA256

        0b58b3996da93f5535d5a0ebd84de6c7ebaab19ebdb4cc8287136b5c7b71ea09

        SHA512

        8adadd0df49d3d690bd49b6d95e99ba60f1cc144c79fb0d933744209ee16e7eb5c10f56ad526806b87ea075baaa45aa8278223ca6a89972c6027fd1fdb5e6e41

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
        Filesize

        471B

        MD5

        d1e89afb0692738b63b7c21954f3ae9e

        SHA1

        e14bd12f692739e657a5ee23f88091a56d257da6

        SHA256

        aa92ca89039867b43ec974dc44c05769c878c79dd34cd348b96fddbf6ac041c4

        SHA512

        a6309ed7dcf7549963ebecf5d2edf21a5aaf29ea49575c50f95b634e4a44d72bf50589aa75953e5d6d49d9a27401902b0ac7aa8c8d78f5d8cb21e29b9b052c0e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_11AE042D5C35868B5237021024D2A4C4
        Filesize

        434B

        MD5

        98efba3c8a15380d5a3e7599b7cf9961

        SHA1

        1885ee896b42dac8fab126dcb7556e9078ac4f20

        SHA256

        6ffdfba5a4c066225f1a05af4a946f7f15c559016ba784eccc4d7c6e30f246a7

        SHA512

        9557068700c553b9c9b24e13ffd2359fa005e2eba90f29c3275f33e8e020a972f4e7c6a1543a0438aa48e90fdee9c447387f31514175ac2fa5b69513b5b84796

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565
        Filesize

        434B

        MD5

        0e97e85150b613e95268211f585f0166

        SHA1

        2ac84fd9e36af1501ab44bfa6961cc31e6e78af8

        SHA256

        2287b4fb040071ccdb961e23f6260763c294d82d9cef33d3d1dd12cd4692493a

        SHA512

        ede5324802ffeda96c40a2718d634c0db8daa052593f131f77abb7a4555e0563201f5e24f59d3472c5ec8fc377b754755f399466d2e322836a9af3c0c79266d9

        Download Submit

      • memory/444-144-0x00007FFDFA1B0000-0x00007FFDFA3A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/444-143-0x00007FFDFA1B0000-0x00007FFDFA3A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/444-142-0x0000000000000000-mapping.dmp

        Download

      • memory/2176-125-0x00007FFDFA1B0000-0x00007FFDFA3A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/2176-124-0x00007FFDFA1B0000-0x00007FFDFA3A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3744-129-0x0000020ABE950000-0x0000020ABE952000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3744-134-0x0000020AD9040000-0x0000020AD905E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3744-132-0x0000020AD9160000-0x0000020AD91D6000-memory.dmp

        Filesize

        472KB

        Download

      • memory/3744-131-0x0000020ABE956000-0x0000020ABE958000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3744-130-0x0000020ABE953000-0x0000020ABE955000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3744-128-0x00007FFDD9AB0000-0x00007FFDDA571000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3744-127-0x0000020AD9090000-0x0000020AD90D4000-memory.dmp

        Filesize

        272KB

        Download

      • memory/3744-126-0x0000020ABE840000-0x0000020ABE862000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4664-133-0x0000000000000000-mapping.dmp

        Download

      • memory/5068-135-0x0000000000000000-mapping.dmp

        Download

      • memory/5068-136-0x00007FFDFA1B0000-0x00007FFDFA3A5000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/5068-141-0x00007FFDFA1B0000-0x00007FFDFA3A5000-memory.dmp

        Filesize

        2.0MB

        Download